Nessus 3.0 Closes the Book on Open Source

Open source vulnerability scanner not as open source as it used to be, but does it matter?

In the open source world, changing an application license from open source to a non-open source license is generally not viewed as a particularly community friendly thing to do.

Yet, that's exactly what the popular Nessus vulnerability scanner's overseers announced they were doing back in October. Tenable Network Security, the firm that sponsors and commercially provides Nessus, has recently released version 3.0 of the vulnerability scanner, the first version of the scanner not to be released under the GPL.

Tenable's Nessus license flip flop has raised the ire of many in the open source community and has even led to a fork of the project that is backed by an influential community based open source organization, Software in the Public Interest (SPI).

Nessus 3.0 itself offers a number of improvements over its GPL licensed predecessor.

"Nessus 3.0 is a complete re-write of Nessus with a focus on dramatically increased speed," Ron Gula, CTO of Tenable Network Security, told internetnews.com. "This engine may very well serve the community for the next five years."

Gula explained that Tenable has a lot in store for Nessus 3.0, especially in the areas of configuration auditing, patch management and compliance testing.

"One of Nessus 3.0's huge advantages right now is that we can perform almost any sort of query or audit on a host that you would normally need an agent for," Gula said. "Many of Tenable's customers also combine Nessus 3.0 with our passive monitoring, log analysis and reporting and visualization tools to offer a one-stop shop for security management."

The fact that Nessus 3.0 is no longer GPL licensed doesn't present any development issues to Tenable, according to Gula. In fact it may well remove some issues.

"The Nessus 2 scanner is still available under the GPL for people who want to be 100 percent GPL," Gula explained. "For Nessus 3, we offer tested binaries in a variety of packages, so in some ways it's easier to support."

Alan Shimel, chief strategy officer at security vendor StillSecure, anticipates that the change in licensing will cause many users of Nessus to rethink their strategy. StillSecure offers the open source version of Nessus as a default scanner and it offers the ability to integrate Nessus scan results into StillSecure's vulnerability management platform (VAM).

The fact that the latest version of Nessus is no longer GPL licensed doesn't, however, present any issues for StillSecure. Shimel noted that StillSecure has an extensive team of engineers that work on the vulnerability management portion of VAM as well as the vulnerability scans.

StillSecure produces three major releases of its vulnerability management platform each year and Shimel anticipates that they will continue at that pace.

"Ultimately, the new licensing is causing Nessus users to pause and rethink their strategy," Shimel said. "We are working with customers and prospects to educate them on the license change and the potential impact to their organizations."

Whether or not Nessus 3.0 is successful as a non-GPL licensed application is something that only time will tell, Shimel argues.

"Without an open source community backing Nessus there is clearly an argument that it may not survive as it does today," Shimel said. " However, the open source community is generally pretty resilient. Already, there is an open source fork of Nessus underway at www.openvas.org. Often when a door closes, another one opens and it seems to be the case in this scenario."

The Nessus fork, OpenVAS, may well prove to be a strong competitor to Nessus. Then again, it might not. OpenVAS has recently won the support of SPI to be an officially recognized SPI project. SPI is the open source organization that backs the Debian GNU/Linux distribution.